Dragon Age: ORIGINS

Hacking Any Other Offline Single-Player Game

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Re: Dragon Age: ORIGINS

Postby WhiteHat » Sun Jan 03, 2010 11:20 am

Aspras wrote:IMO the best way to do this would be by using auto-hack to find what accesses the address of specialization points and then studying the area around the addresses that showed up using a debugger.

That could work... But, this is a complex game which allow multiple players to have their own logins. And since this availability of specialization works for every logins in the same PC, i believe that the flags which hold their availability don’t reside around specialization points (which we know differs from between each logins)...

In fact, i did study the values around it, and i am sure there are nothing such (also, i can say for sure that specialization point is float). I’ll post the Hex Editor screen shot soon, and this is the unpatched version...


[Psych] wrote:I highly doubt an update/version difference is going to change the datatypes the game uses for it's variables. There isn't going to be one guy who, on his game, has found HP using LONG, and another dude bringing it up as FLOAT :-/ It is, however, possible that one datatype is used for the real value, and another used for the ghost value, which is present in some games (maybe in this one; I don't know).

I agree with him...


Aspras wrote:The addresses I had found were definitely not ghost ones. I remember using a .lssave file when I had the unpatched version of the game where all the addresses were unsigned long , thats why I mentioned they were unsigned long when I posted the first injection and those few pointers in the first place. What I suspect might have happened is me having searched for 4 byte addresses using cheat engine instead of mhs and then having transfered the pointers to mhs and used unsigned long instead of float.

Well, Float uses the same size as Unsigned Long (4 bytes integer). However, which data-type is really used by the game, IMO, can be determined by:
- Use the common sense of the value. We should assume that 0x3F800000 is 1.0 Float than some integer value.
- Auto-Hack the values and see what kind of ASM operators access them. (This is probably the best way should there are no debugging protections)

Still, correct me if i’m wrong...



---------------------------------------------------------------------------------------------------------------------------------------------
EDIT:


Here are the screen shots:

MHS Main List (i used the same LSSave as my previous post):
Image

And here’s what it looks like in MHS Hex Editor:
Image
i highlighted the address specialization points address at 0x2B6C220C...


Notice that:
- Current ATTRIBUTE POINTS value found in address: 0x2B6C212C, 0x41200000 = 10.00 float
- Current SKILL POINTS value found in address: 0x2B6C219C, 0x41F00000 = 30.00 float
- Current TALENT/SPELL POINTS value found in address: 0x2B6C212C, 0x41D80000 = 27.00 float
- Current SPECIALIZATION POINTS value found in address: 0x2B6C220C, 0x40800000 = 4.00 float
all of them are Floats data-type and been tested as the working ones...

Also notice that each of them reside few bytes after the Unicode Strings which describe their purpose. And if we study those values around a bit, we will found some interesting values that may have something to do with the lists like max value etc...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Re: Dragon Age: ORIGINS

Postby LykanthricAura » Wed May 19, 2010 11:33 pm

Told you L.Spiro. One of our members had pulled it off.

Could you please check the second post in this topic by CoMPMStR ...

I downloaded the Lssave. Now I can see the Address (for the 1.0 version of the game) ...

I know this noob-like of me to ask. But can you explain to me a bit what he has done in the instant usage refill (skills, potions, etc) thing in the lssave. And if it can help me find the same thing for the v.1.03 of this game.

Bless You CoMPMStR if your reading this.
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: Dragon Age: ORIGINS

Postby CoMPMStR » Thu May 20, 2010 4:09 am

The way you refind the hack is not by what is in the code cave part, but by what's in the disable part. You also need the bytecode instead of the commands. Here's a quick rundown:

- First load MHS with the lssave, double click on the entry in the list and goto the Auto Assemble tab. (Maybe I should also say you need to be attached to the game as well.)
- Click the Preview button and look under the Trainer Maker Kit Preview, you need to scroll down to the [DISABLE] part and copy the bytecode (it should be D8 1D 24 55 AB 00 for the hack in question).
- Once you copied that, exit the Preview window and click on Search->String Search. For Type put Hex String and paste the bytecode into the String to Find box, uncheck the boxes then click OK.
- When the search is complete you look for a green address that is similar to the current hack address. Let me explain...

For example, the address of the hack you're referring to in v1.0 is 00614882. The same hack's address in v1.01 is 00614FF2. Notice how both of the addresses start with 614 and end in the same digit, 2. You can also see some similarities in that the two digits before the last one are the same in both. When a game is updated from one version to another the code location can change but the code structure usually stays the same. This trick probably won't work for all games but it's something neat to remember when updating to a newer version, plus it's how I first try to refind hacks after I update a game (and it worked for this game).

Once you find the hack address for the new version, all you do is copy the Auto Assemble script from the previous version into the new one and change the addresses around to go with the new version, for the fullaccess function and return address if you don't know how to do what's below.

To make it more hassle-free, you can create a new label for the code cave return jump and jump to it rather than a static address. This makes the script more dynamic and less prone to crashes as well. For example you can change the instant usage refill (skills, potions, etc) to this: (this way you don't have to keep track of the return address at all)

Code: Select all
; - This will allow you to instantly reuse any skill, spell, or item directly after using it.
; - This option CAN be enabled at all times without any known issues.

fullaccess(DAOrigins.exe+0x214882, 6)
alloc(jmpspell, 90)
label(skippts)
label(jmpreturn) ;add the return label, you can name it anything just rename all below as well

[enable]
jmp jmpspell
nop
jmpreturn: ;set where to return after the code cave is complete

jmpspell:
fstp dword ptr [ecx+c]
fldz
fcomp dword ptr [ecx+c]
fstsw ax
fwait
sahf
ja skippts
fldz
fst dword ptr [ecx+c]
skippts:
fcomp dword ptr [AB5524]
jmp jmpreturn ;finally jump back to the return label

[disable]
fcomp dword ptr [AB5524]
dealloc(jmpspell)


I hope it's not too much to absorb. If you have anymore questions just ask. ;)

PS: I noticed this hack contains a static address in the code. Sometimes when this happens if you try my refind technique as described above you won't yield any valid results. This is mainly due to the fact that the static address used in the code has been changed. L. Spiro has a nice post on wildcard searching with bytecodes somewhere but I can't find it. It shouldn't be needed for this game but you never know. Just wanted to point it out.
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Re: Dragon Age: ORIGINS

Postby LykanthricAura » Fri May 21, 2010 3:44 pm

Ok. I searched for the DISABLE bytecode. It did not give any result. Not a single one. Now what...? Wildcard?

And Hey...Can you also explain how you initially searched for this stuff in the game ? I mean...say I wanted to do this for any other game which uses a Cool-down or build-up time for anything. Like...RTS games ... Age of Empires, Warcraft have the time for building units. How do I search for these values in a game? FPS/TPS games have the cool-down time for Guns which overheat when you shoot for too long and also things like the NOS in Need for Speed i.e. Values which are completely unknown ?

I suppose one can use sub-searches using the [Increased], [Decreased] and [Changed by] search type, but exactly how do you know what you should be looking for.
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: Dragon Age: ORIGINS

Postby CoMPMStR » Sat May 22, 2010 1:59 am

Yes I think a wildcard search is in order. You would probably search for D81D???? or something along those lines.

The way you find it is the same way you find any other unknown cheat. First search unknown, then change it and search incrased or decrased. Repeat until you've narrowed it down enough to sift through the remaining entries. If you don't know whether the value has increased or decreased you can use different/same as before instead. Lots of times even when a value is displayed on-screen, you still have no idea how the value is being stored until you search for it. ;) There are even times when the cheats are found unexpectedly, those are fun times. :D
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Re: Dragon Age: ORIGINS

Postby LykanthricAura » Sat May 22, 2010 4:28 am

Ok...And when you were looking for the instant refill value. Did you look for a decreasing floating point value or increasing? Just to get an idea of how it works.

PS: Btw...I mailed you long ago. Your trainer was awesome. You were the only one who managed to get the instant cool-down other than the people from CHppns. You know what I mean? EXCEPT for one thing. You used Ctrl+1, Ctrl+2 as the Hotkeys. That lead to a little bug and spoiled the game a bit. Had to use Macros to Remap my Num1, Num2 keys to Ctrl+1, Ctrl+2 etc...

But still Thanks a lot for all the help.
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: Dragon Age: ORIGINS

Postby CoMPMStR » Sat May 22, 2010 10:26 am

I'm almost positive it was an increasing value. All you do is find a skill with a rather large cooldown time. Use the skill then immediately pause the game and go search for an unknown value. Then unpause the game and let it refill for a split second, pause again and sub-search increased. Repeat as necessary. If it happens to refill all the way just use the skill again but sub-search decreased at first, then increased until it refills again. If searching for increased doesn't help you can even try it vice versa style. Try as many ways as possible. ;)

Yeah I read it but never got around to updating the trainer. I'm glad you found a fix and I apologize for any inconvenience.
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Previous

Return to Others (Offline)

Who is online

Users browsing this forum: No registered users and 0 guests

cron